From 46611bf5a4db92013ea93e773403011246c24ed6 Mon Sep 17 00:00:00 2001 From: coolsnowwolf Date: Wed, 8 May 2024 03:22:38 +0800 Subject: [PATCH] crowdsec-firewall-bouncer: add package --- net/crowdsec-firewall-bouncer/Makefile | 97 +++++++ .../files/crowdsec-firewall-bouncer.initd | 238 ++++++++++++++++++ .../files/crowdsec.config | 15 ++ 3 files changed, 350 insertions(+) create mode 100644 net/crowdsec-firewall-bouncer/Makefile create mode 100755 net/crowdsec-firewall-bouncer/files/crowdsec-firewall-bouncer.initd create mode 100644 net/crowdsec-firewall-bouncer/files/crowdsec.config diff --git a/net/crowdsec-firewall-bouncer/Makefile b/net/crowdsec-firewall-bouncer/Makefile new file mode 100644 index 00000000..3f146409 --- /dev/null +++ b/net/crowdsec-firewall-bouncer/Makefile @@ -0,0 +1,97 @@ +# SPDX-License-Identifier: MIT +# +# Copyright (C) 2021-2022 Gerald Kerma +# + +include $(TOPDIR)/rules.mk + +PKG_NAME:=crowdsec-firewall-bouncer +PKG_VERSION:=0.0.28 +PKG_RELEASE:=2 + +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz +PKG_SOURCE_URL:=https://codeload.github.com/crowdsecurity/cs-firewall-bouncer/tar.gz/v$(PKG_VERSION)? +PKG_HASH:=1e0f4d3cd8bc73da21eafc9b965fda0c1c1b0a27a2acc038004602797e4fccf0 + +PKG_LICENSE:=MIT +PKG_LICENSE_FILES:=LICENSE +PKG_MAINTAINER:=Gerald Kerma + +PKG_BUILD_DEPENDS:=golang/host +PKG_BUILD_PARALLEL:=1 +PKG_BUILD_FLAGS:=no-mips16 +PKG_BUILD_DIR:=$(BUILD_DIR)/cs-firewall-bouncer-$(PKG_VERSION) + +CSFB_BUILD_VERSION?=v$(PKG_VERSION) +CSFB_BUILD_GOVERSION:=$(shell go version | cut -d " " -f3 | sed -E 's/[go]+//g') +CSFB_BUILD_TIMESTAMP:=$(shell date +%F"_"%T) +CSFB_BUILD_TAG:=openwrt-$(PKG_VERSION)-$(PKG_RELEASE) +CSFB_VERSION_PKG:=github.com/crowdsecurity/cs-firewall-bouncer/pkg/version + +GO_PKG:=github.com/crowdsecurity/cs-firewall-bouncer +GO_PKG_INSTALL_ALL:=1 +GO_PKG_LDFLAGS_X:=$(CSFB_VERSION_PKG).Version=$(CSFB_BUILD_VERSION) \ + $(CSFB_VERSION_PKG).BuildDate=$(CSFB_BUILD_TIMESTAMP) \ + $(CSFB_VERSION_PKG).Tag=$(CSFB_BUILD_TAG) \ + $(CSFB_VERSION_PKG).GoVersion=$(CSFB_BUILD_GOVERSION) + +include $(INCLUDE_DIR)/package.mk +include ../../lang/golang/golang-package.mk + +define Package/crowdsec-firewall-bouncer/Default + SECTION:=net + CATEGORY:=Network + TITLE:=Firewall bouncer for Crowdsec + URL:=https://github.com/crowdsecurity/cs-firewall-bouncer/ +endef + +define Package/crowdsec-firewall-bouncer +$(call Package/crowdsec-firewall-bouncer/Default) + DEPENDS:=$(GO_ARCH_DEPENDS) +endef + +define Package/golang-crowdsec-firewall-bouncer-dev +$(call Package/crowdsec-firewall-bouncer/Default) +$(call GoPackage/GoSubMenu) + TITLE+= (source files) + DEPENDS:=$(GO_ARCH_DEPENDS) + PKGARCH:=all +endef + +define Package/crowdsec-firewall-bouncer/Default/description + Crowdsec bouncer written in golang for firewalls. + + crowdsec-firewall-bouncer will fetch new and old decisions + from a CrowdSec API to add them in a blocklist used by supported firewalls. + + You must install nftables. +endef + +define Package/crowdsec-firewall-bouncer/description +$(call Package/crowdsec-firewall-bouncer/Default/description) + + This package contains the main program. +endef + +define Package/golang-crowdsec-firewall-bouncer-dev/description +$(call Package/crowdsec-firewall-bouncer/Default/description) + + This package provides the source files for the program. +endef + +define Package/crowdsec-firewall-bouncer/install + $(call GoPackage/Package/Install/Bin,$(1)) + + $(INSTALL_DIR) $(1)/etc/config + $(INSTALL_CONF) ./files/crowdsec.config $(1)/etc/config/crowdsec + + $(INSTALL_DIR) $(1)/etc/init.d + $(INSTALL_BIN) ./files/crowdsec-firewall-bouncer.initd $(1)/etc/init.d/crowdsec-firewall-bouncer +endef + +define Package/crowdsec-firewall-bouncer/conffiles +/etc/config/crowdsec +endef + +$(eval $(call GoBinPackage,crowdsec-firewall-bouncer)) +$(eval $(call BuildPackage,crowdsec-firewall-bouncer)) diff --git a/net/crowdsec-firewall-bouncer/files/crowdsec-firewall-bouncer.initd b/net/crowdsec-firewall-bouncer/files/crowdsec-firewall-bouncer.initd new file mode 100755 index 00000000..eb5b79b7 --- /dev/null +++ b/net/crowdsec-firewall-bouncer/files/crowdsec-firewall-bouncer.initd @@ -0,0 +1,238 @@ +#!/bin/sh /etc/rc.common + +USE_PROCD=1 + +START=99 + +NAME=crowdsec-firewall-bouncer +PROG=/usr/bin/cs-firewall-bouncer +VARCONFIGDIR=/var/etc/crowdsec/bouncers +VARCONFIG=/var/etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml + +CONFIGURATION=crowdsec + +TABLE="crowdsec" +TABLE6="crowdsec6" + +service_triggers() { + procd_add_reload_trigger crowdsec-firewall-bouncer + procd_add_config_trigger "config.change" "crowdsec" /etc/init.d/crowdsec-firewall-bouncer reload +} + +init_yaml() { + + local section="$1" + + local update_frequency + local log_level + local api_url + local api_key + local ipv6 + local deny_action + local deny_log + local log_prefix + local log_max_size + local log_max_backups + local log_max_age + local ipv4 + local input_chain_name + local input6_chain_name + + config_get update_frequency $section update_frequency '10s' + config_get log_level $section log_level 'info' + config_get api_url $section api_url "http://127.0.0.1:8080" + config_get api_key $section api_key "API_KEY" + config_get_bool ipv6 $section ipv6 '1' + config_get deny_action $section deny_action "drop" + config_get_bool deny_log $section deny_log '0' + config_get log_prefix $section log_prefix "crowdsec: " + config_get log_max_size $section log_max_size '100' + config_get log_max_backups $section log_max_backups '3' + config_get log_max_age $section log_max_age '30' + config_get_bool ipv4 $section ipv4 '1' + config_get input_chain_name $section input_chain_name "input" + config_get input6_chain_name $section input6_chain_name "input" + + # Create tmp dir & permissions if needed + if [ ! -d "${VARCONFIGDIR}" ]; then + mkdir -m 0755 -p "${VARCONFIGDIR}" + fi; + + cat > $VARCONFIG <<-EOM + mode: nftables + pid_dir: /var/run/ + update_frequency: $update_frequency + daemonize: true + log_mode: file + log_dir: /var/log/ + log_level: $log_level + log_compression: true + log_max_size: $log_max_size + log_max_backups: $log_max_backups + log_max_age: $log_max_age + api_url: $api_url + api_key: $api_key + insecure_skip_verify: true + disable_ipv6: boolnot($ipv6) + deny_action: $deny_action + deny_log: bool($deny_log) + supported_decisions_type: + - ban + #to change log prefix + deny_log_prefix: "$log_prefix" + #to change the blacklists name + blacklists_ipv4: crowdsec-blacklists + blacklists_ipv6: crowdsec6-blacklists + #type of ipset to use + ipset_type: nethash + #if present, insert rule in those chains + iptables_chains: + - INPUT + # - FORWARD + # - DOCKER-USER + ## nftables + nftables: + ipv4: + enabled: bool($ipv4) + set-only: true + table: $TABLE + chain: $input_chain_name + ipv6: + enabled: bool($ipv6) + set-only: true + table: $TABLE6 + chain: $input6_chain_name + # packet filter + pf: + # an empty disables the anchor + anchor_name: "" + prometheus: + enabled: false + listen_addr: 127.0.0.1 + listen_port: 60601 + EOM + + sed -i "s/bool(1)/true/g" $VARCONFIG + sed -i "s/bool(0)/false/g" $VARCONFIG + sed -i "s/boolnot(1)/false/g" $VARCONFIG + sed -i "s/boolnot(0)/true/g" $VARCONFIG + sed -i "s,^\(\s*api_url\s*:\s*\).*\$,\1$api_url," $VARCONFIG + sed -i "s,^\(\s*api_key\s*:\s*\).*\$,\1$api_key," $VARCONFIG +} + +init_nftables() { + + local section="$1" + + local priority + local deny_action + local deny_log + local log_prefix + local ipv4 + local ipv6 + local filter_input + local filter_forward + local input_chain_name + local forward_chain_name + local input6_chain_name + local forward6_chain_name + local interface + local log_term="" + + config_get priority $section priority "4" + config_get deny_action $section deny_action "drop" + config_get_bool deny_log $section deny_log '0' + config_get log_prefix $section log_prefix "crowdsec: " + config_get_bool ipv4 $section ipv4 '1' + config_get_bool ipv6 $section ipv6 '1' + config_get_bool filter_input $section filter_input '1' + config_get_bool filter_forward $section filter_forward '1' + config_get input_chain_name $section input_chain_name "input" + config_get forward_chain_name $section forward_chain_name "forward" + config_get input6_chain_name $section input6_chain_name "input" + config_get forward6_chain_name $section forward6_chain_name "forward" + config_get interface $section interface 'eth1' + + if [ "$deny_log" -eq "1" ] ; then + local log_term="log prefix \"${log_prefix}\"" + fi + + local interface="${interface// /, }" + + #as of kernel 3.18 we can delete a table without need to flush it + nft delete table ip crowdsec 2>/dev/null + nft delete table ip6 crowdsec6 2>/dev/null + + if [ "$ipv4" -eq "1" ] ; then + + nft add table ip crowdsec + nft add set ip crowdsec crowdsec-blacklists '{ type ipv4_addr; flags timeout; }' + + if [ "$filter_input" -eq "1" ] ; then + nft add chain ip "$TABLE" $input_chain_name "{ type filter hook input priority $priority; policy accept; }" + nft add rule ip "$TABLE" $input_chain_name iifname { $interface } ct state new ip saddr @crowdsec-blacklists ${log_term} counter $deny_action + fi + if [ "$filter_forward" -eq "1" ] ; then + nft add chain ip "$TABLE" $forward_chain_name "{ type filter hook forward priority $priority; policy accept; }" + nft add rule ip "$TABLE" $forward_chain_name iifname { $interface } ct state new ip saddr @crowdsec-blacklists ${log_term} counter $deny_action + fi + fi + + if [ "$ipv6" -eq "1" ] ; then + + nft add table ip6 crowdsec6 + nft add set ip6 crowdsec6 crowdsec6-blacklists '{ type ipv6_addr; flags timeout; }' + + if [ "$filter_input" -eq "1" ] ; then + nft add chain ip6 "$TABLE6" $input6_chain_name "{ type filter hook input priority $priority; policy accept; }" + nft add rule ip6 "$TABLE6" $input6_chain_name iifname { $interface } ct state new ip6 saddr @crowdsec6-blacklists ${log_term} counter $deny_action + fi + if [ "$filter_forward" -eq "1" ] ; then + nft add chain ip6 "$TABLE6" $forward6_chain_name "{ type filter hook forward priority $priority; policy accept; }" + nft add rule ip6 "$TABLE6" $forward6_chain_name iifname { $interface } ct state new ip6 saddr @crowdsec6-blacklists ${log_term} counter $deny_action + fi + fi +} + +run_bouncer() { + + local section="$1" + + local enabled + config_get_bool enabled $section enabled 0 + + if [ "$enabled" -eq "1" ] ; then + + init_yaml "$section" + init_nftables "$section" + + procd_open_instance + procd_set_param command "$PROG" -c "$VARCONFIG" + procd_set_param stdout 1 + procd_set_param stderr 1 + procd_set_param nice 10 + if [ -x "/sbin/ujail" ]; then + procd_add_jail cs-bouncer log + procd_add_jail_mount $VARCONFIG + procd_add_jail_mount_rw /var/log/ + procd_set_param no_new_privs 1 + fi + procd_close_instance + fi +} + +start_service() { + + config_load "${CONFIGURATION}" + config_foreach run_bouncer bouncer +} + +service_stopped() { + + rm $VARCONFIG + + nft delete table ip crowdsec 2>/dev/null + nft delete table ip6 crowdsec6 2>/dev/null +} + + diff --git a/net/crowdsec-firewall-bouncer/files/crowdsec.config b/net/crowdsec-firewall-bouncer/files/crowdsec.config new file mode 100644 index 00000000..ad43bd11 --- /dev/null +++ b/net/crowdsec-firewall-bouncer/files/crowdsec.config @@ -0,0 +1,15 @@ +config bouncer + option enabled '0' + option ipv4 '1' + option ipv6 '1' + option api_url 'http://localhost:8080/' + option api_key '' + option update_frequency '10s' + option deny_action 'drop' + option deny_log '0' + option log_prefix 'crowdsec: ' + option log_level 'info' + option filter_input '1' + option filter_forward '1' + list interface 'eth1' +